How to use different SSL certs for different virtual domains?

I wonder how I could setup ejabberd in a way that each virtual domain gets his own SSL cert?

doma.tld -> doma.pem
domb.tld -> domb.pem
domc.tld -> domc.pem

and so on. So far that seems to be not possible if I use the standard ports 5222 oder 5223. I think something like VirtualHost from apache is missing.

One idea is that I could setup different SRV dns records but I'm not sure how many Jabber clients actually query these records.

I think that it isn't

I think that it isn't possible using old SSL connections (port 5223) because SSL handshake starts before ejabberd knows about virtual host client connects.

But it could be perfectly possible for STARTTLS method. But for now support for different SSL certificates for different virtual hosts isn't implemented.

Can 0.9.8 handle multiple

Can 0.9.8 handle multiple different SSL certs now for different virtual hosts? I'm not sure how to configure this part but it seems possible now.

Multi-SSL

I think this is more a problem with SSL itself than ejabberd. IIRC SSL certs are issued based on IP not domain so you can't have multiple SSL Certs for different virtual hosts

different ports; DNS SRV

that seems to be not possible if I use the standard ports 5222 oder 5223

Right now (ejabberd 0.9.8) the SSL cert is specified on the 'listen' section, so it's specified per-node. Try the web admin: the 'listened sockets' page is available only on the main server, not on the virtual hosts subparts.

You could define two ports (5222 and 5224), on each one set a different SSL cert and allow logins only to the corresponding users (using 'acl'+'access'). But this way, some of your users will have to configure their clients manually.

I could setup different SRV dns records but I'm not sure how many Jabber clients actually query these records.

If I remember correctly, Exodus, Psi and Pandion do. Tkabber doesn't.

Different SSL certificates for different virtual domains

According to today's commit (432), the development version of ejabberd in Subversion supports this feature:

2005-11-05  Alexey Shchepin  

	* src/ejabberd_config.erl: Support for per host certificates
	* src/ejabberd_c2s.erl: Likewise
	* src/ejabberd_s2s_out.erl: Likewise
	* src/ejabberd.cfg.example: Updated

--
sander

Syndicate content